海角官方首页 IT Patch Management Policy
X-99.13(A) | Information Technology | Approved May 13, 2025
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Applies to: Staff
Revision History
Reviewed 04/30/2024
Purpose
Addressing IT security vulnerabilities effectively and efficiently through the application of security patches reduces the risk of device, information system and data exploitation. This policy outlines the responsibilities and procedures for managing vulnerabilities and applying patches to ensure the security and integrity of 海角官方首页's information systems, computing devices, and data.
Policy Statement
海角官方首页 information systems and computing devices must be regularly assessed for security vulnerabilities. A regular, ongoing process of applying security patches to 海角官方首页 owned systems and devices must be followed. A security vulnerability identified as a zero-day vulnerability by trusted sources, such as CISA (Cybersecurity and Infrastructure Security Agency), must be addressed immediately. Critical or high-rated vulnerabilities reported to MITRE’s CVE (Common Vulnerabilities and Exposures) must be fixed within 30 days of a vendor’s patch or hotfix release. If there is a compelling reason for why a patch cannot be applied to a critical or high vulnerability within 30 days, an exception must be requested from 海角官方首页 IT Security and Compliance. IT Security and Compliance will review, assess, and document the situation and determine if a temporary exception can be approved. Security vulnerabilities rated medium or low need to be patched as soon as possible.
Scope and Exceptions
This policy applies to all 海角官方首页 computing devices and information systems, which includes all software, hardware, and network components. It covers all stages of vulnerability management, from identification and assessment to remediation.
Roles and Responsibilities
海角官方首页 IT Security and Compliance: Responsible for conducting regular vulnerability scans, assessments and maintaining records of security vulnerabilities and remediations.
Computing Device and Information System Owners: Responsible for applying patches and ensuring that 海角官方首页 computing devices and information systems are compliant with this policy, and for reporting any issues or requested exceptions to 海角官方首页 IT Security and Compliance.
PROCEDURES
Vulnerability Assessment: Conducting regular scans to identify vulnerabilities in 海角官方首页 information systems.
Patch Management: Applying security patches promptly to address identified vulnerabilities. Document and approve any exceptions.
Monitoring and Reporting: Monitoring systems for compliance with this policy and reporting any deviations to the 海角官方首页 Chief Information Security Officer.